Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:35 AM
Connect Directly

Bucks for Bugs

There's money to be made, legitimate and otherwise, for those who find software vulnerabilities

The going rate for a good security bug can help an undergrad pay for tuition or a cash-strapped researcher put a down payment on a car. And that's just if he or she sells it to a legitimate security software firm, which pays anywhere from $2,000 to $10,000 a bug.

The black market can be even more lucrative. A bad guy hacker can get $20,000 to $30,000 for a "weaponized" exploit, says David Maynor, senior researcher for SecureWorks. (See Getting Buggy with the MOBB.) "This is something that is pretty much fire-and-forget and wouldn't require much technical expertise to run," Maynor says.

What the two markets have in common is potential impact: The more targets a bug can hit if it's converted into an exploit and let loose in the wild, the more it pays.

Among the security firms who do business with bug writers are 3Com/TippingPoint's Zero Day Initiative, iDefense, and Digital Armaments. "They typically pay between $2,000 and $10,000 for these so they are able to better protect their clients from these exploits and work with vendors to help them develop protections," Maynor says.

It's a controversial practice. IDefense has been criticized for reselling bugs it buys, as well as for its promotions. It recently held a contest that paid $10,000 for remote Windows vulnerabilities, for example.

3Com's year-old Zero Day Initiative has about 400 registered researchers from whom the firm has purchased over 100 bugs, according to Terri Forslof, security response manager for 3Com's Zero Day Initiative program. And the program has yielded results, she says. "We've released 25 public advisories and have a slew in the queue waiting for the vendors to correct them," says Forslof, who wouldn't disclose what 3Com pays the bug-writers.

No one knows for sure just how much you can make on the black market, but tens of thousands of dollars for a browser bug isn't unheard of. The infamous Windows MetaFile vulnerability used in malware last year was reportedly purchased by bad guys for $4,000.

"There are small communities of researchers doing this and managing to sell to crime syndicates," says one researcher who requested anonymity.

Most vendors who buy the bugs say they are careful about who they deal with. ImmunitySec, which purchases vulnerability bugs for its Canvass tool, tries to work mostly with researchers it knows, says David Aitel, ImmunitySec's CTO. "When we're buying a bug, we typically know the people we're dealing with. We're more likely to buy from 'friends and family'," Aitel says.

There's a lengthy contract negotiation phase involved in a bug buy, too, Aitel says, and ImmunitySec could pay the researcher $2,500 and then spend another $2,500 in legal negotiation fees.

And ImmunitySec doesn't fork out the big bucks like iDefense and others. "We're not going to pay tens of thousands of dollars for the perfect bug," he says. "We get approached all the time. Sometimes we get burnt, sometimes not. If they are dishonest, their price usually goes up" which kills the deal.

But the practice of bugs for money has its ethical dilemma, too. Does offering money for bugs basically create a monster, or does it actually tame potential monsters out there in the wild?

Peter Lindstrom, research director for Spire Security, says he doesn't necessarily buy the altruistic claims of researchers who sell their handiwork to security vendors. "When there's money interests involved, you can no longer claim altruistic motives," he says. "I get tired of folks saying this will reduce risk. Clearly, all this stuff demonstrated in the real world increases our risk -- the typical buffer overflow or cross-site scripting bug isn't going to help anything."

Lindstrom says he's torn, though, on whether having this somewhat formalized process for sharing vulnerabilities is better than nothing. "Offering money creates a market. But [the legitimate buyers] attract these folks into a more open, structured process, which is better" than the unchecked black market, he says, and it creates a nice paper trail, too. But he also worries this more formal market inadvertently boosts a bug's black market potential as well.

Not all researchers sell their bugs, however, and not all security firms will buy them. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds. "Organizations that do are adding a level of legitimacy to the underground market that has always existed," says Steve Manzuik, research manager for eEye. EEye takes its vulnerability findings to vendors first, such as Microsoft, he says.

There's no way to stop a money-hungry bug writer from starting a bidding war between the good guys and bad guys, either. "Whoever pays more gets the goods. It is naive to assume that the good guys will always, or even often, outbid the criminally intended bidders," says Ivan Arce, CTO of Core Security, which finds vulnerabilities in software but doesn't sell them.

Bug creators, meanwhile, sometimes score "real job" opportunities when they peddle their vulnerability code with security firms. Aitel says the bulk of ImmunitySec's research is done in-house, so if a bug-writer's work is good enough for the company to buy, he or she is probably qualified for hiring and could be considered for a job.

Whether it's more cost-effective to work as a freelance bug writer or get a day job depends. A vulnerability researcher costs about $80,000 to $100,000 per year to a security company, Arce says, and you'd have to generate ten big-time bugs worth about $10,000 apiece to match a legit salary. "You would need to be really good at it and dedicate full time to the task."

Still, there's a healthy market for the freelancers. "Clearly, the model works because the supply of bugs is generated not by professional bug finders, but by amateurs or hobbyists that are either unemployed or perform other duties for their official employer," Arce says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • 3Com Corp. (Nasdaq: COMS)
  • Core Security Technologies
  • SecureWorks Inc.
  • Spire Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/4/2020
    Data Loss Spikes Under COVID-19 Lockdowns
    Seth Rosenblatt, Contributing Writer,  5/28/2020
    Abandoned Apps May Pose Security Risk to Mobile Devices
    Robert Lemos, Contributing Writer,  5/29/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-04
    ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
    PUBLISHED: 2020-06-04
    In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
    PUBLISHED: 2020-06-04
    An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
    PUBLISHED: 2020-06-04
    An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
    PUBLISHED: 2020-06-04
    Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...